Problem to follow IPSec parameter changes

Hello all,

we use a service wich requerer a IPSec VPN. Till recently it worked fine but we have received a message that the IPSec VPN parameters need to be changed and now I am stuck.

The privies configuration look like this

and schuld by changed to this:

I have come this far

With this configuratioen I can see in the Policie, that the PH2 State alternatet between “msg1 send” and “no phase2” the IPSec Log didnt show me an Error Message and I thought that I Must deactivate “aes-256 cbc” in the Proposal but if I try i get this error message

I add the IPSec log (ipsec, debug !package" hear, perhaps someone can find my error.

Jun/05/2025 09:59:41 ipsec,debug => (size 0x38)
Jun/05/2025 09:59:41 ipsec,debug 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 02000005
Jun/05/2025 09:59:41 ipsec,debug 03000008 0300000c 03000008 04000015 00000008 0400000f
Jun/05/2025 09:59:41 ipsec,debug => (size 0x8c)
Jun/05/2025 09:59:41 ipsec,debug 0000008c 00150000 0013265b 4691de0e 87ec09c6 dfc004dd 8d9bb9be 3aa47766
Jun/05/2025 09:59:41 ipsec,debug 6d2c3219 750be09a fc908e30 2329c499 e041844b c0d9ce64 ddd68c12 b9f82cc7
Jun/05/2025 09:59:41 ipsec,debug 21af4465 4edf970c 44c7011b a3e71942 aaf6d564 eb023dca 3287c380 5dabcef6
Jun/05/2025 09:59:41 ipsec,debug a2734fe1 553c1081 635337ee 0005e1ab 994097c6 47a7c0ea 617952a2 b3ae7eb7
Jun/05/2025 09:59:41 ipsec,debug 1ece38e5 412f2ba2 09090d77
Jun/05/2025 09:59:41 ipsec,debug => (size 0x1c)
Jun/05/2025 09:59:41 ipsec,debug 0000001c 974f04de 170915ff 3fb4e3b9 d18ed61b 61824f50 5ed342a9
Jun/05/2025 09:59:41 ipsec,debug => (size 0x8)
Jun/05/2025 09:59:41 ipsec,debug 00000008 0000402e
Jun/05/2025 09:59:41 ipsec,debug ===== sending 260 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 09:59:41 ipsec,debug 1 times of 260 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 09:59:41 ipsec,debug ===== received 300 bytes from <IPSec Targethost>[500] to <IPSec own puplic IP>[500]
Jun/05/2025 09:59:41 ipsec,debug => shared secret (size 0x42)
Jun/05/2025 09:59:41 ipsec,debug 0081effd c62b19c1 b26fa2a7 fec93d8b f7b86040 7ddbfc14 8d2108ee 51d41023
Jun/05/2025 09:59:41 ipsec,debug a5398e01 6cab3ce4 4bdc496e 63c911a0 3c1ef87e c69cfecd 0a5c5da0 b758e379
Jun/05/2025 09:59:41 ipsec,debug 9b26
Jun/05/2025 09:59:41 ipsec,debug => skeyseed (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug 856e681f 8b7778f5 29877c1d 350dbdd4 d3b0c012 31462d73 d1bc2104 7a6c9f40
Jun/05/2025 09:59:41 ipsec,debug => keymat (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug f64aabce 3c25a855 5e6b4898 ea0ff455 c4cc8e63 3fd99fa8 7efdc7f6 196b0de0
Jun/05/2025 09:59:41 ipsec,debug => SK_ai (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug 2577e290 95cea24c 610592c7 26449b63 2192ed5d 4c89ca7a f6683ad3 049bb539
Jun/05/2025 09:59:41 ipsec,debug => SK_ar (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug 4efdef46 bca48562 9cd6ad1f 15f37615 06c5266e 4f6d37ba 9cab30c9 edc83ae6
Jun/05/2025 09:59:41 ipsec,debug => SK_ei (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug 58427cd2 c34b7c46 1cb30610 20422b51 d859eaec f953e465 604c0292 19b2d716
Jun/05/2025 09:59:41 ipsec,debug => SK_er (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug ee03c322 4c779a86 b7fee912 69c13055 309f7dc2 9b0f2af4 13b10054 1369826e
Jun/05/2025 09:59:41 ipsec,debug => SK_pi (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug 589313bf 4cce9e20 a56165f8 9a511f59 1241c706 c92bbf35 194646c1 fa6685f1
Jun/05/2025 09:59:41 ipsec,debug => SK_pr (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug dd8dd097 5980847b e87cbfb4 5b5bfd78 f6b2c44e c753ea3a f56b726c 198c817b
Jun/05/2025 09:59:41 ipsec,debug => (size 0x22)
Jun/05/2025 09:59:41 ipsec,debug 00000022 02000000 6f666669 63653232 35394064 62732d73 6f667477 6172652e
Jun/05/2025 09:59:41 ipsec,debug 6465
Jun/05/2025 09:59:41 ipsec,debug => auth nonce (size 0x10)
Jun/05/2025 09:59:41 ipsec,debug 825b2751 0304114b f1329164 5ac4eaee
Jun/05/2025 09:59:41 ipsec,debug => SK_p (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug 589313bf 4cce9e20 a56165f8 9a511f59 1241c706 c92bbf35 194646c1 fa6685f1
Jun/05/2025 09:59:41 ipsec,debug => idhash (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug f247f151 9649fdc3 28ef9fd9 6055c48d 78a3efb2 7aca0fe5 cb68712b ea2bec8d
Jun/05/2025 09:59:41 ipsec,debug => my auth (size 0x20)
Jun/05/2025 09:59:41 ipsec,debug cb5a1c60 9560a588 5166738d f27150e5 9c077b6e eb429e24 f143f8e5 97bec46f
Jun/05/2025 09:59:41 ipsec,debug => (size 0x28)
Jun/05/2025 09:59:41 ipsec,debug 00000028 02000000 cb5a1c60 9560a588 5166738d f27150e5 9c077b6e eb429e24
Jun/05/2025 09:59:41 ipsec,debug f143f8e5 97bec46f
Jun/05/2025 09:59:41 ipsec,debug => (size 0x8)
Jun/05/2025 09:59:41 ipsec,debug 00000008 00004000
Jun/05/2025 09:59:41 ipsec,debug => (size 0x38)
Jun/05/2025 09:59:41 ipsec,debug 00000038 00000034 01030404 0d37b605 0300000c 0100000c 800e0100 0300000c
Jun/05/2025 09:59:41 ipsec,debug 01000014 800e0100 03000008 0300000c 00000008 05000000
Jun/05/2025 09:59:41 ipsec,debug => (size 0x18)
Jun/05/2025 09:59:41 ipsec,debug 00000018 01000000 07000010 0000ffff c0a86f00 c0a86fff
Jun/05/2025 09:59:41 ipsec,debug => (size 0x18)
Jun/05/2025 09:59:41 ipsec,debug 00000018 01000000 07000010 0000ffff 6446023b 6446023b
Jun/05/2025 09:59:41 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 09:59:41 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 09:59:46 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 09:59:46 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 09:59:51 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 09:59:51 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 09:59:56 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 09:59:56 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:01 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:01 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:11 ipsec,debug => (size 0x38)
Jun/05/2025 10:00:11 ipsec,debug 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 02000005
Jun/05/2025 10:00:11 ipsec,debug 03000008 0300000c 03000008 04000015 00000008 0400000f
Jun/05/2025 10:00:11 ipsec,debug => (size 0x8c)
Jun/05/2025 10:00:11 ipsec,debug 0000008c 00150000 00145198 2c8f5be9 c55e1188 eb3891a0 3a955f15 a2439a8a
Jun/05/2025 10:00:11 ipsec,debug baf8c4d1 ece82adf c8ebedaa 84859ba8 8d8151b6 a5eb33a1 a62aca4b d22f88d3
Jun/05/2025 10:00:11 ipsec,debug 1da015e3 b78f8436 f235009e 35b7598a fc596d23 3755c5d7 1ce43550 f500868b
Jun/05/2025 10:00:11 ipsec,debug 72994013 a97d711b 5a8612c8 51a4c0d2 ff79138b c2c33887 2054388e e3c0c85d
Jun/05/2025 10:00:11 ipsec,debug db953822 6fdf5bbb e1e3f667
Jun/05/2025 10:00:11 ipsec,debug => (size 0x1c)
Jun/05/2025 10:00:11 ipsec,debug 0000001c b98a6171 c7ea0145 3ce32cf3 a2ff2609 6c26bf84 d05735a9
Jun/05/2025 10:00:11 ipsec,debug => (size 0x8)
Jun/05/2025 10:00:11 ipsec,debug 00000008 0000402e
Jun/05/2025 10:00:11 ipsec,debug ===== sending 260 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:11 ipsec,debug 1 times of 260 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:11 ipsec,debug ===== received 300 bytes from <IPSec Targethost>[500] to <IPSec own puplic IP>[500]
Jun/05/2025 10:00:11 ipsec,debug => shared secret (size 0x42)
Jun/05/2025 10:00:11 ipsec,debug 0145b64b ed7d6f73 bdf38a59 f8cecd0d e47dc715 36babd5a 37ca85f7 12462fcb
Jun/05/2025 10:00:11 ipsec,debug e41b1f67 d971db57 573b325a e85172d5 2a9478c8 6396a358 4a3a066a 1efe2070
Jun/05/2025 10:00:11 ipsec,debug 7d90
Jun/05/2025 10:00:11 ipsec,debug => skeyseed (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug 8670fefe e56d5d50 b4555876 5252717a 6c370a39 7cf5192b 8c37d6d9 4a9b5cc4
Jun/05/2025 10:00:11 ipsec,debug => keymat (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug 46562af6 ed29bc28 243bd7d8 c777e6fc 062b23f4 34508d36 ccf022e7 885916d2
Jun/05/2025 10:00:11 ipsec,debug => SK_ai (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug 378f92f1 bfdf5da2 68c452e9 c67af856 c69257a7 860370d4 755d44d0 b9b9c1e4
Jun/05/2025 10:00:11 ipsec,debug => SK_ar (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug a0f69e4c b278f6fd 11eb57ca 3a455764 7da0b2dd 6727f039 f5b77f52 a2afb15a
Jun/05/2025 10:00:11 ipsec,debug => SK_ei (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug 4a0d0c3c 32cd1a7a 237ae38e 42e1613f f2c16dc1 2e959518 0aed2251 32e6b162
Jun/05/2025 10:00:11 ipsec,debug => SK_er (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug e9f174d4 f1c2b252 d042f708 43b9a6a5 b3f4bdbd 57008d76 d7041620 11f271f3
Jun/05/2025 10:00:11 ipsec,debug => SK_pi (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug abcd2125 5db47af3 47eee61b 0ec040fa 39e2aeea 1d5c1957 78e6db99 b1c5fc2d
Jun/05/2025 10:00:11 ipsec,debug => SK_pr (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug 36c3c4c6 f0470c10 3b2594ef e2e3b4ea e55ef903 f0281059 5cdbd589 94e4a8cf
Jun/05/2025 10:00:11 ipsec,debug => (size 0x22)
Jun/05/2025 10:00:11 ipsec,debug 00000022 02000000 6f666669 63653232 35394064 62732d73 6f667477 6172652e
Jun/05/2025 10:00:11 ipsec,debug 6465
Jun/05/2025 10:00:11 ipsec,debug => auth nonce (size 0x10)
Jun/05/2025 10:00:11 ipsec,debug 6d2ee098 4e1813bf 3d9541e5 f9f39494
Jun/05/2025 10:00:11 ipsec,debug => SK_p (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug abcd2125 5db47af3 47eee61b 0ec040fa 39e2aeea 1d5c1957 78e6db99 b1c5fc2d
Jun/05/2025 10:00:11 ipsec,debug => idhash (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug 2bf8b45b 09d11304 fe556c78 fac1bb58 79cc7f18 1d6fcea5 ce51b121 acd32d9a
Jun/05/2025 10:00:11 ipsec,debug => my auth (size 0x20)
Jun/05/2025 10:00:11 ipsec,debug 8eff5b3e e05b2110 d5f3bb7e 81469b3e 4d60a46d fd8f0a53 c31ed26c 804cdb0d
Jun/05/2025 10:00:11 ipsec,debug => (size 0x28)
Jun/05/2025 10:00:11 ipsec,debug 00000028 02000000 8eff5b3e e05b2110 d5f3bb7e 81469b3e 4d60a46d fd8f0a53
Jun/05/2025 10:00:11 ipsec,debug c31ed26c 804cdb0d
Jun/05/2025 10:00:11 ipsec,debug => (size 0x8)
Jun/05/2025 10:00:11 ipsec,debug 00000008 00004000
Jun/05/2025 10:00:11 ipsec,debug => (size 0x38)
Jun/05/2025 10:00:11 ipsec,debug 00000038 00000034 01030404 056cd3cf 0300000c 0100000c 800e0100 0300000c
Jun/05/2025 10:00:11 ipsec,debug 01000014 800e0100 03000008 0300000c 00000008 05000000
Jun/05/2025 10:00:11 ipsec,debug => (size 0x18)
Jun/05/2025 10:00:11 ipsec,debug 00000018 01000000 07000010 0000ffff c0a86f00 c0a86fff
Jun/05/2025 10:00:11 ipsec,debug => (size 0x18)
Jun/05/2025 10:00:11 ipsec,debug 00000018 01000000 07000010 0000ffff 6446023b 6446023b
Jun/05/2025 10:00:11 ipsec,debug ===== sending 272 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:11 ipsec,debug 1 times of 272 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:16 ipsec,debug ===== sending 272 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:16 ipsec,debug 1 times of 272 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:21 ipsec,debug ===== sending 272 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:21 ipsec,debug 1 times of 272 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:26 ipsec,debug ===== sending 272 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:26 ipsec,debug 1 times of 272 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:31 ipsec,debug ===== sending 272 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:31 ipsec,debug 1 times of 272 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:41 ipsec,debug => (size 0x38)
Jun/05/2025 10:00:41 ipsec,debug 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 02000005
Jun/05/2025 10:00:41 ipsec,debug 03000008 0300000c 03000008 04000015 00000008 0400000f
Jun/05/2025 10:00:41 ipsec,debug => (size 0x8c)
Jun/05/2025 10:00:41 ipsec,debug 0000008c 00150000 004b9e84 e1adb1cb 9600ff04 7f59f99c 1fa6873e c5ef8ef2
Jun/05/2025 10:00:41 ipsec,debug 4b3512a6 a70fb30f c328c263 88a815ac 6a327307 f73a66f1 fabb6d0f e629b509
Jun/05/2025 10:00:41 ipsec,debug 1614ce2b 870a1c7f a9440042 030678ed 4b10bb6b 6441f302 ea4dac97 9818ec24
Jun/05/2025 10:00:41 ipsec,debug 44ab078b a3a377c9 91748839 97b4e1ca 09571c60 c03f471e 6164beb8 c16814b9
Jun/05/2025 10:00:41 ipsec,debug 36411344 1ac5c616 8c320f1f
Jun/05/2025 10:00:41 ipsec,debug => (size 0x1c)
Jun/05/2025 10:00:41 ipsec,debug 0000001c da6900dc 010256cc f5186b9d 606b7e45 04680277 1138642e
Jun/05/2025 10:00:41 ipsec,debug => (size 0x8)
Jun/05/2025 10:00:41 ipsec,debug 00000008 0000402e
Jun/05/2025 10:00:41 ipsec,debug ===== sending 260 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:41 ipsec,debug 1 times of 260 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:41 ipsec,debug ===== received 300 bytes from <IPSec Targethost>[500] to <IPSec own puplic IP>[500]
Jun/05/2025 10:00:41 ipsec,debug => shared secret (size 0x42)
Jun/05/2025 10:00:41 ipsec,debug 01f31e3a efde8851 acae2107 bb71317b 902b1ff3 ed6e9b30 04d997f6 12bc2a3c
Jun/05/2025 10:00:41 ipsec,debug 58b506ad 6c05fa16 fee49eba ab970c69 5f9d45c3 76af3244 b8523e15 b44eba61
Jun/05/2025 10:00:41 ipsec,debug 54e8
Jun/05/2025 10:00:41 ipsec,debug => skeyseed (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug 8a2acde8 fda5dc43 6764039a 1f01414f c8be6d09 f422b0b6 94fb82a5 37ec8b1f
Jun/05/2025 10:00:41 ipsec,debug => keymat (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug ebb85650 775d3b4b 9ffc7847 4ea7fff0 e54f4963 2271cb69 9cb36d72 f2b2b32c
Jun/05/2025 10:00:41 ipsec,debug => SK_ai (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug b91c5b78 7175e425 26136783 5449b12b 64325c55 5b886885 df6d0230 fedb3faf
Jun/05/2025 10:00:41 ipsec,debug => SK_ar (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug b479cb5c 544daa9a 1ff8e80f e81f5c8a 78198984 7d21a76b c23c13cb 6b99a3a6
Jun/05/2025 10:00:41 ipsec,debug => SK_ei (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug 0fc9a7d4 60db7a05 0e5058dc 858b65f6 73b81ca4 cf3ef2c0 a898e664 efb543a1
Jun/05/2025 10:00:41 ipsec,debug => SK_er (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug aedb75e9 1c9d146a a793df63 64491a1b 17e839fd cb0654bd fa13de9e 53c2e0fd
Jun/05/2025 10:00:41 ipsec,debug => SK_pi (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug 2ae1b10e 42b1c1cd f5173486 eda59a56 fefdcf75 aab16138 6867ab3c 49e739ab
Jun/05/2025 10:00:41 ipsec,debug => SK_pr (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug 58750499 05948bf9 549ebf87 97b96c91 c99dd629 12e05f06 51ad7e7d 5aeb66bb
Jun/05/2025 10:00:41 ipsec,debug => (size 0x22)
Jun/05/2025 10:00:41 ipsec,debug 00000022 02000000 6f666669 63653232 35394064 62732d73 6f667477 6172652e
Jun/05/2025 10:00:41 ipsec,debug 6465
Jun/05/2025 10:00:41 ipsec,debug => auth nonce (size 0x10)
Jun/05/2025 10:00:41 ipsec,debug 13d4b042 3556cc04 adb66631 551e6835
Jun/05/2025 10:00:41 ipsec,debug => SK_p (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug 2ae1b10e 42b1c1cd f5173486 eda59a56 fefdcf75 aab16138 6867ab3c 49e739ab
Jun/05/2025 10:00:41 ipsec,debug => idhash (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug 38cf6a36 669947ed 30fe6d62 4e584a4d 48e887d4 789081ba f7b2e1af a455f503
Jun/05/2025 10:00:41 ipsec,debug => my auth (size 0x20)
Jun/05/2025 10:00:41 ipsec,debug 26e1c9e8 cc9be468 91195a8a 0f040cd5 d6c63140 6de4c8ff 90fc543b 852eab5f
Jun/05/2025 10:00:41 ipsec,debug => (size 0x28)
Jun/05/2025 10:00:41 ipsec,debug 00000028 02000000 26e1c9e8 cc9be468 91195a8a 0f040cd5 d6c63140 6de4c8ff
Jun/05/2025 10:00:41 ipsec,debug 90fc543b 852eab5f
Jun/05/2025 10:00:41 ipsec,debug => (size 0x8)
Jun/05/2025 10:00:41 ipsec,debug 00000008 00004000
Jun/05/2025 10:00:41 ipsec,debug => (size 0x38)
Jun/05/2025 10:00:41 ipsec,debug 00000038 00000034 01030404 0f8d400e 0300000c 0100000c 800e0100 0300000c
Jun/05/2025 10:00:41 ipsec,debug 01000014 800e0100 03000008 0300000c 00000008 05000000
Jun/05/2025 10:00:41 ipsec,debug => (size 0x18)
Jun/05/2025 10:00:41 ipsec,debug 00000018 01000000 07000010 0000ffff c0a86f00 c0a86fff
Jun/05/2025 10:00:41 ipsec,debug => (size 0x18)
Jun/05/2025 10:00:41 ipsec,debug 00000018 01000000 07000010 0000ffff 6446023b 6446023b
Jun/05/2025 10:00:41 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:41 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:46 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:46 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:51 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:51 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:56 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:00:56 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]
Jun/05/2025 10:00:58 ipsec,debug <IPSec tunnel> DPD monitoring....
Jun/05/2025 10:00:58 ipsec,debug hash(sha1)
Jun/05/2025 10:00:58 ipsec,debug 92 bytes from <IPSec tunnel>[4500] to <IPSec tunnel>[57033]
Jun/05/2025 10:00:58 ipsec,debug 1 times of 96 bytes message will be sent to <IPSec tunnel>[57033]
Jun/05/2025 10:00:58 ipsec,debug sendto Information notify.
Jun/05/2025 10:00:58 ipsec,debug <IPSec tunnel> DPD R-U-There sent (0)
Jun/05/2025 10:00:58 ipsec,debug <IPSec tunnel> rescheduling send_r_u (5).
Jun/05/2025 10:00:58 ipsec,debug ===== received 92 bytes from <IPSec tunnel>[57033] to <IPSec tunnel>[4500]
Jun/05/2025 10:00:58 ipsec,debug receive Information.
Jun/05/2025 10:00:58 ipsec,debug hash(sha1)
Jun/05/2025 10:00:58 ipsec,debug hash validated.
Jun/05/2025 10:00:58 ipsec,debug begin.
Jun/05/2025 10:00:58 ipsec,debug seen nptype=8(hash) len=24
Jun/05/2025 10:00:58 ipsec,debug seen nptype=11(notify) len=32
Jun/05/2025 10:00:58 ipsec,debug succeed.
Jun/05/2025 10:00:58 ipsec,debug <IPSec tunnel> notify: R_U_THERE_ACK
Jun/05/2025 10:00:58 ipsec,debug <IPSec tunnel> DPD R-U-There-Ack received
Jun/05/2025 10:00:58 ipsec,debug received an R-U-THERE-ACK
Jun/05/2025 10:01:01 ipsec,debug ===== sending 288 bytes from <IPSec own puplic IP>[500] to <IPSec Targethost>[500]
Jun/05/2025 10:01:01 ipsec,debug 1 times of 288 bytes message will be sent to <IPSec Targethost>[500]

Change the profile configuration to:

/ip ipsec profile
set [ find name=profile_swyxON ] dh-group=modp3072,ecp521 enc-algorithm=aes256 prf-algorithm=sha256

And the proposal to:

/ip ipsec proposal
set [ find name=proposalSwyxON ] enc-algorithms=aes-256-gcm pfs-group=none

Tahnk you TheCat12,

but is still get the error by thrying to modify the proosal and it seems to be baund on the encryption-algorithm settings.

The ting that puzzled me the most is, tha i can sett every algorithm till aes-256-ctr alone,
but if i try to set a aes gcm or the chch20poly I need to set a second algorithm othern than chch or gcm.

By the way I forgot to mangen its an RB1100AHx4 Dude Edition with RouterOs v7.19.1

Per the following topic it seems that AES-256-GCM has its own auth algorithm and subsequently any other should be removed from the proposal config:

/ip ipsec proposal
set [ find name=proposalSwyxON ] auth-algorithms=""

The only way I am able to only set the aes-256 gcm algorithm seamst to have now Auth Algotithm selected.

I created a new proposal and only set the aes-256 gmc first withaut a authentication algorithm set. If I try to set the auth Algorithm now, even if it is “null”, I get the AEAD error message.

The IPSec tunnel is still stuck in the “no phase” situation.

I would suggest opening a support ticket because this seems like a bug

Almost all uses of AES in GCM mode forego the use of a separate hash algorithm, essentially message authentication is built-in. Therefore providing a hash algorithm when it is used is nonsensical; whether Mikrotik should accept auth=null (or automatically assume it if GCM is used) is an interface question and would at least merit documentation. This might be a legitimate bug, even if only in terms of documentation.

Phase 1 and phase 2 are different. In ikev1 they are very different in terms of their cryptography; in ikev2 they are much more similar. Ikev1 generally doesn’t therefore allow the usage of GCM - at least not in the way it’s usually used. This a fairly good answer:
https://crypto.stackexchange.com/questions/74411/why-cant-aes-gcm-be-used-in-ikev1-phase-1
For ikev2, GCM mode may be used. There are quite a few vendors who don’t (yet?) implement this.

There is no marked benefit of GCM mode for phase1 over CBC mode with at least sha256 hashing.